What is zero trust?
How a zero trust security strategy better protects your business from internal and external attackers
As businesses shift to the cloud and attacks become more sophisticated, traditional security perimeters tied to the corporate network are no longer adequate to protect valuable resources in the modern IT environment. Employees still need to be able to access corporate data and applications, no matter where they’re stored or where employees are located, but businesses also have to be able to implement and monitor protections at a distance. Zero trust is a security concept many businesses are turning to in order to solve this dilemma.
Zero trust is based on the idea that no user or device, whether inside or outside a network, can be trusted. It’s a preventative technique effective for controlling access to networks, applications, and data.
It was coined in 2010 by Forrester Research and started gaining traction in 2014 when Google announced its implementation of a zero trust strategy, BeyondCorp, after falling victim to the Operation Aurora attack in 2009.
How does a zero trust model differ from regular methods?
Traditional methods of security work on the assumption that everything within the organisation’s network can be trusted and that all users will act responsibly. This ‘castle-and-moat’ strategy leaves the organisation open to internal threats, but it also gives external attackers unlimited access once they break through that initial barrier.
On the other hand, zero trust requires users both inside and outside the network to be continuously authenticated to access applications and data. Since the point of infiltration is usually not an attacker’s target but just a way in, zero trust uses micro-segmentation, multi-factor authentication, and other barriers to limit the access attackers have once they have entered the network.
What strategies does a zero trust network model use?
A zero trust policy is not one technology, but a holistic approach that can be built into the existing architecture and should be used across an entire organisation. It uses multiple methodologies to uphold the idea of ‘never trust, always verify’. Here are some tactics organisations can use to limit the access users and endpoints have within its network:
- Least-privilege access: This involves assessing the needs of each user and gives them the least level of access possible so that resources are only available to those that absolutely need them, rather than open to anyone in the network.
- Identity and access management (IAM): IAM automates the processes of authenticating users and managing the appropriate levels of access for each user. IAM systems will provision users with access based on their role and de-provision employees that leave the company.
- Multi-factor authentication (MFA): This is a core component of an IAM policy that requires the user to supply two or more verification factors, often through one-time passwords (OTPs) sent through SMS, email, or an app.
- Endpoint security technology: The desktops, laptops, tablets, and mobile phones that any employee might use to access corporate resources add to the points of access for an attack and have to be properly secured. As more employees connect through their own devices or Wi-Fi connections, this is especially important.
- Micro-segmentation: This method divides workloads into separate zones and secures them individually, creating more barriers that attackers would have to bypass.
How do you enact a successful zero trust framework?
The tactics listed above will only work, however, if you can continuously monitor and validate a user and their device. Zero-trust enforcement relies on real-time visibility of a user’s identity, endpoint type, login details, and other attributes, and without this visibility, you won’t be able to clearly define policy.
Security awareness training strategies for account takeover protection
Why you need an inside-the-perimeter strategy for internal threatsFree download
You’ll need to identify the most sensitive data, assets, applications, and services (DAAS) and separate this from the rest of the network. Then you’ll want to map out the traffic surrounding this data—how it’s being accessed, where it’s going, and what it’s being used for. Knowing the intent of your organisation’s data is crucial to protecting it, and automated discovery tools can help with understanding this and deciding which data flows are absolutely essential.
Once you know what flows will be allowed and which won’t, you can architect the network to place boundaries between the different flows, creating micro-segments that will require authentication and validation to pass through and will help contain breaches.
Here monitoring comes in again, but this stage is not about defining policy but rather enforcing it. You still need real-time visibility once you’ve implemented a zero trust architecture, only this visibility will be used to ensure continuous compliance.
Automation will be a crucial component of your policy engine to quickly make changes when necessary. The automated system can judge policy change requests that are within defined legitimate parameters and pass along those outside the parameters to actual human eyes, reducing the time you have to devote to maintaining your new zero trust model.
Challenges of zero trust
If the previous section hasn’t already made it clear, a zero trust policy, while extremely beneficial, is also a lot of work.
Firstly, it takes a lot of time and effort to get started. Zero trust isn’t a single switch you can just flick on; you’ll have to configure all of your current tools, and if your legacy systems don’t have the means for restricting access, you’ll have to build a new network from scratch. While this could take longer, however, switching to a zero trust framework after it’s been built from scratch may be easier than trying to keep your current processes functioning as you tweak them to fit this framework.
Once you’ve got your policy in place, it will also require more user management, from employees to customers to clients and vendors, all with varied levels of access that require different policies. To spread the load, some administrators may hand over decisions about policy to each department so they can maintain it themselves, but this can also create issues with some teams creating too broad of policies that leave room for attacks.
With rapid growth in the number of devices each user has, the number of applications across a business, and the different ways to store and access data, such as the cloud, there are many factors that must be juggled when building a zero trust framework.
Accelerating AI modernisation with data infrastructure
Generate business value from your AI initiativesFree Download
Recommendations for managing AI risks
Integrate your external AI tool findings into your broader security programsFree Download
Modernise your legacy databases in the cloud
An introduction to cloud databasesFree Download
Powering through to innovation
IT agility drive digital transformationFree Download